MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21930f21d68a7153f47f1ceeb1ceefa59158b90100909c474f462cb8c8751cf4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 21930f21d68a7153f47f1ceeb1ceefa59158b90100909c474f462cb8c8751cf4
SHA3-384 hash: b005ed6bc60f674cc0f61a16db27c7478a8887072861788b8de4b0d7518e9d5307d4af5cd9a5f0e351bbf7f26a576984
SHA1 hash: 87dc821aea154873ae933920025825a9df7e62d2
MD5 hash: 55198611ddf654a11c07e17eefbb1a82
humanhash: twelve-four-edward-six
File name:SOA HAULAGE.zip
Download: download sample
Signature AgentTesla
Create hunting rule
File size:526'105 bytes
First seen:2021-11-01 17:25:32 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 12288:RZ/1hKa091qF9qIeEwST8n/LsFQT4K6jVkOdLxFhf7/ze:jN4a0aF9Hcy7Fq3adLHhf7/S
TLSH T121B423D33971EA6D25C9B46F9D25E6614D910EA6838EFA4E5830CC01F07B38EA0B754E
Reporter cocaman
Tags:AgentTesla zip


Avatar
cocaman
Malicious email (T1566.001)
From: "Billing NWD <billing@northwest.my>" (likely spoofed)
Received: "from northwest.my (unknown [103.167.84.87]) "
Date: "1 Nov 2021 10:25:02 -0700"
Subject: "OCEANMASTER DEPOH / HAULAGE - OVERDUE OUTSTANDING SOA IN EXCEL FORMAT AS AT 31.07.2021"
Attachment: "SOA HAULAGE.zip"

Intelligence

File Origin
# of uploads :
1
# of downloads :
151
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.PWS-FCZF5E7280F3A57C.23930.4901.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
formbook obfuscated packed
Link:
https://www.filescan.io/uploads/6180232d9a5a1e91c5da49d1/reports/6a6e224b-6eb5-4b81-85ec-697bdce2ab44/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/21930f21d68a7153f47f1ceeb1ceefa59158b90100909c474f462cb8c8751cf4
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/21930f21d68a7153f47f1ceeb1ceefa59158b90100909c474f462cb8c8751cf4/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-11-01 14:44:35 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=egjq6iowrjyvh5d7dtxldtxpuwivroibacijyr2piywlrsdvdt2a._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/211101-vzvmqsfccp/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/21930f21d68a7153f47f1ceeb1ceefa59158b90100909c474f462cb8c8751cf4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 21930f21d68a7153f47f1ceeb1ceefa59158b90100909c474f462cb8c8751cf4

(this sample)

AgentTesla

Executable exe 724b120b7ffde986da46253c47263800e733f2df7de94711b331080f7a3ad740

  
Delivery method
Distributed via e-mail attachment
  
Dropping
SHA256 724b120b7ffde986da46253c47263800e733f2df7de94711b331080f7a3ad740
  
Dropping
AgentTesla

Comments